General Data Protection Regulation (GDPR)
What is the GDPR?
25th of May 2018, the old directives of data protection (DPD) in Europe were replaced by the new regulation known as the General Data Protection Regulation or simply GDPR. It has increased the obligations on the organizations that collect, store, and process EU citizens’ personally identifiable data. The regulation lays down provisions for the organizations operating not only in Europe but also binds organizations outside of the EU that handle the data of EU citizens. Replacing the old data protection act means.
More Transparency
Making it increasingly transparent, GDPR has significantly changed the data processing methods. It has set forth clear principles for the data controllers to comply with when processing the personal data provided by the data subject.
Enhanced Control
Compared to the DPD (Data Protection Directive), the new regulation has empowered the data subjects (EU Citizens) with considerably enhanced control of their own data. Who obtains the personal data, and how they process it? The data subject decides.
Harsher Penalties
Organizations that fall short of complying with the GDPR or violate the set terms can face serious consequences. The infringements liable to fine can inflict penalties of up to whichever amount is larger, between 4% of annual global turnover or €20 million.
UCare and General Data Protection Regulation
As data protection of EU member states citizens is mainly governed by GDPR, UCare has not only prepared for itself but has also put together information necessary for the churches to ensure compliance. As trust is the decisive factor in the cloud, protecting personal data has always been and will remain the top priority for UCare. The following area discusses steps that have been taken to ensure maximum compliance with the provisions.
Data Processing Agreement (DPA)
You may download our DPA here: UCare Data Processing Agreement
Email the completed and signed DPA to support@ucarehq.com. The DPA has been pre-signed on behalf of UCare. Upon receipt of the validly completed DPA by UCare at this email address, the DPA will become legally binding.
Compliance Guide for Churches
A Church’s role as a data controller is important. We have simplified things and have separately made a guide for our customer churches. Being a software service provider, we recommend that our churches inform their members about the role of UCare in the administration and management of their organizations and how we enable them to process the personal information they hold. The document has collected a sufficient amount of information for churches to ensure that the right practices are followed when collecting and processing the data of EU citizens.
What Churches need to know about GDPR
Privacy Policy
We value the GDPR as a positive development towards the security of personal data, that we, too, give utmost importance. Since the GDPR is mostly built over the directives of DPD and we already have made conscious efforts to keep the data of the church and its members protected, we still see GDPR as an opportunity for enhanced security and better practices. We have updated our privacy policy to be GDPR compliant.
UCare as Data Processor
UCare, as a data processor, processes the data on behalf of the data controller with the intention of providing improved services and simplified processes. Being based in Australia, a considerably small portion of data we process is located in EU member states; we still keep that high standard of data processing defined in GDPR.
UCare Sub-processors
There are third-party service providers that provide specific services act as sub-processors. The sub-processors only store and process the personal data you input to carry out a specific operation, i.e., providing member details to send an email. Even for this purpose, UCare chooses to work with globally acknowledged names that also take GDPR compliance into consideration.
The sub-processors that UCare works with:
| Entity Name | Applicable Services | Purposes | Entity Country | GDPR Compliance |
|---|---|---|---|---|
| Microsoft Corporation | Azure, Power BI | Cloud Service Provider, Optional - Data Analytics | United States |  |
| Message Systems, Inc | Sparkpost | Email Delivery | United States | |
| Stripe, Inc | Stripe | Payment Processing | United States | |
| Zendesk, Inc | Support, Guide, Talk | Customer Support | United States | |
| Clickatell, Inc | Developer Central | Optional - Text Messaging | United States | |
| The Rocket Science Group, LLC | Mailchimp | Optional - Email Delivery | United States | |
| PayPal Holdings, Inc | PayPal | Optional - Payment Processing | United States | |
| Pushpay Limited | Pushpay | Optional - Payment Processing | New Zealand | |
| Ministry Centered Technologies, Inc | Planning Center Services | Optional - Service Planning | United States | |
| Google, LLC | ReCaptcha | Optional – Avoiding Bot Form Submissions | United States | |
| Calendly, LLC | Calendly | Optional – Appointment Management | United States | |
| UCare Technologies Pty Ltd | UCare | Database Management | Australia | |
Frequently Asked Questions
Where does UCare store EU customer data?
UCare uses Microsoft Azure as a cloud partner. The data is stored depending on each church’s location; however, Azure keeps European identity data in EU datacenters. However, GDPR doesn’t obligate that processors can host/store EU customer data in the EU only.
Does GDPR apply to countries outside of the EU?
If you are a company or organization located outside of EU member states, but you collect, store, or process the data of EU citizens, GDPR does apply.
Who is the data subject?
The data subject under GDPR is a natural person from whom you collect identifiable information, hold it, and further process it in connection to your business operations.
Who are the key stakeholders in GDPR?
They are mainly the following.
- Data Subject: From whom the Personal Data is collected and processed.
- Data Collector: The organization who primarily collects the information from the Data Subject.
- Data Controller: The entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- Data Processors: A person or organization who acts on behalf of the Data Controller to Process Personal Data.
- Sub-Processors: A Processor engages with a third-party organization/business to assist in the Processing of Personal Data.
- Supervisory Authorities: Public authorities who monitor the application of the regulation.
Who is exempt from GDPR?
There are very limited exemptions, mostly in connection to the activities of law enforcement, government agencies, Member States, or the processing of data for household activities. Charities, faith organizations, and even churches don’t have an exemption.
Does GDPR inflict real Penalties?
Yes, it does. In case of a breach, serious penalties can be imposed on a person or an organization. It includes penalties of up to 4% of annual global turnover or €20 million.
What Churches Need to Know?
Many faith organizations and churches are already aware of the GDPR and its impacts on data processing. Still, several others may need to take note of the following key elements. As a leading church software service provider, UCare has made a simple guide for our churches.
Definition of personal data
The GDPR applies when you collect and process data that leads to the identification of a natural person (EU citizen). It can be generally identifiable information or fall into another special category of data, i.e., sensitive data. A church may hold both generally identifiable data, i.e., names, emails, numbers, etc., as well as data belonging to the sensitive category, i.e., religious and philosophical beliefs. It doesn’t only include the data of your customers belonging to the EU but also suppliers, employees, and other individuals from whom you collect personal data.
Collection of personal data
Faith organizations and churches aren’t exempt from the GDPR scope. If you are collecting EU citizens’ data, you must now need policies to show why you need the personal information you are collecting and how you will hold, process, and protect it. Before you obtain personal information, you must clearly state why you need it and how you use this information.
Consent of Data Subject
The important part of GDPR is Consent of the subject being freely given, affirmative and unambiguous. The clearly asked for and freely given consent provides legal ground to process the data for the purposes the data subject has given consent. For example, consent is given by a member to receive prayer updates from the church via email. If the consent was obtained before GDPR came into existence, and you doubt it no longer complies with the tougher standards of GDPR. It must be updated.
Data of children
We know children are part of the church, and GDPR adds an extra protection layer to the data belonging to this age group. As earlier mentioned, it is only the consent that provides a lawful basis for the processing of the data which is personally identifiable. To process the data of the children under age, you need to obtain consent from their parents/guardians or simply who holds parental responsibility. The age of consent is generally 16; however, for certain member states like the UK, there are provisions to lower the consent age to 13. If you offer sign-up for free or paid children’s events, serve clear notice in the privacy that children can understand.
Consent can be withdrawn
GDPR bolsters the rights of EU citizens by handing over great control to them of their personal data. Earlier given consent to process the data for a certain purpose can later be withdrawn by the data subject. Being a data controller, you must have a policy to inform them of their right to do so anytime. For example, a member no longer wants to receive prayer updates through email. Note, though, that legal exemptions may apply; for instance, a person who has been involved as a leader in child related activities may need that information kept. In this case, the laws requiring storage of their areas of involvement can override the GDPR.
Religiously sensitive data
Faith organizations and churches are under extra obligations as they hold specific personal data that falls under the sensitive data category of GDPR. Religious and philosophical beliefs are among many other sorts of sensitive personal data that can expose a natural individual to a potential risk of persecution. Therefore, such data is generally prohibited to process, and can only be processed under specific derogations, i.e. upon giving explicit consent by the data subject.
Data Security
When it comes to safeguarding the personal data one holds, GDPR puts data controllers and processors under obligation to take measures on organizational and technical levels to protect personal information. Some of the measures it suggests include encryption and pseudonymization of personal information, having a system capable of regularly testing and evaluating security, restoring timely access to personal data, and ensuring availability, integrity, and confidentiality.